|  | 
  
    | 
     |  
    | 
    User Controls |  
    | New User |  
    | Login |  
    | Edit/View My Profile |  
    | 
     |  
    | 
     |  
    | 
     |  
    | 
    ActiveMac |  
    | Articles |  
    | Forums |  
    | Links |  
    | News |  
    | News Search |  
    | Reviews |  
    | 
     |  
    | 
     |  
    | 
     |  
    | 
    News Centers |  
    | Windows/Microsoft |  
    | DVD |  
    | ActiveHardware |  
    | Xbox |  
    | MaINTosh |  
    | News Search |  
    | 
     |  
    | 
     |  
    | 
     |  
    | 
    ANet Chats  |  
    | The Lobby |  
    | Special Events Room |  
    | Developer's Lounge |  
    | XBox Chat |  
    | 
     |  
    | 
     |  
    | 
     |  
    | 
    FAQ's |  
    | Windows 98/98 SE |  
    | Windows 2000 |  
    | Windows Me |  
    | Windows "Whistler" XP |  
    | Windows CE |  
    | Internet Explorer 6 |  
    | Internet Explorer 5 |  
    | Xbox |  
    | DirectX |  
    | DVD's |  
    | 
     |  
    | 
     |  
    | 
     |  
    | 
    TopTechTips |  
    | Registry Tips |  
    | Windows 95/98 |  
    | Windows 2000 |  
    | Internet Explorer 4 |  
    | Internet Explorer 5 |  
    | Windows NT Tips |  
    | Program Tips |  
    | Easter Eggs |  
    | Hardware |  
    | DVD |  
    | 
     |  
    | 
     |  
    | 
     |  
    | 
    Latest Reviews |  
    | Applications |  
    | Microsoft Windows XP Professional |  
    | Norton SystemWorks 2002 |  
    | 
     |  
    | Hardware |  
    | Intel Personal Audio Player 
    3000 |  
    | Microsoft Wireless IntelliMouse 
    Explorer |  
    | 
     |  
    | 
     |  
    | 
     |  
    | 
    Site News/Info |  
    | About This Site |  
    | Affiliates |  
    | ANet Forums |  
    | Contact Us |  
    | Default Home Page |  
    | Link To Us |  
    | Links |  
    | Member Pages |  
    | Site Search |  
    | Awards |  
    | 
     |  
    | 
     |  
    | 
     |  
    | 
    Credits©1997/2004, Active Network. All 
    Rights Reserved.
 Layout & Design by
    
    Designer Dream. Content 
    written by the Active Network team. Please click
    
    here for full terms of 
    use and restrictions or read our
    
    Privacy Statement.
 |  
 |  |  |  | 
 
 
     
       
         |  |  |  
         |  |  
         | Time:
           23:36 EST/04:36 GMT | News Source:
           ActiveWin.com |
           Posted By: Kenneth van Surksum |  | Mozilla Firefox 3 has been released. Available for Windows, Mac OS X and Linux in 46 different localisations, Firefox 3 is the most major Mozilla browser release since the launch of Firefox 2 in October 2006 and represents the culmination of over three years work (development on Firefox 3 began before even Firefox 1.5 came out). According to the press release announcing Firefox 3, the new version has over 15,000 improvements. Firefox 3 can be downloaded from the redesigned Firefox product page or the Firefox 3.0 directory on releases.mozilla.org (it's not yet being offered to Firefox 2 users via the software update system). More information can be found in the Firefox 3 Release Notes. The use of newer technologies means that Firefox 3 has higher system requirements than Firefox 2. In Microsoft land, Windows 95, 98, ME and NT 4.0 are no longer supported. On the Mac side, the minimum OS X version jumps from 10.2 Jaguar to 10.4 Tiger. In both cases, the operating system versions that are no longer supported have long since been abandoned by even Microsoft and Apple.
 |  
        |  |  
	
		
			| #1 By
					            92283 (70.66.69.111)
					at 
					6/18/2008 9:41:58 PM |  
			| http://blogs.zdnet.com/security/?p=1288 
 "Just hours after the official release of the latest refresh of Mozilla’s flagship browser, an unnamed researcher has sold a critical code execution vulnerability that puts millions of Firefox3.0 users at risk of PC takeover attacks.
 
 According to a note from TippingPoint’s Zero Day Initiative (ZDI) , a company that buys exclusive rights to software vulnerability data, the Firefox 3.0 bugalso affects earlier versions of Firefox 2.0x.
 
 "
 
 
 |  
 
	
		
			| #2 By
					            23275 (68.186.182.236)
					at 
					6/19/2008 9:24:52 AM |  
			| @1, no surprise there. I think it was found during the BETA testing and held until the release date once it was confirmed that the vuln. remained in the release code. I think it's pretty crummy if the information was held back, but that's the world we live in. It does also continue to reflect that FF/Moz is not the security panacea that it was held out to be - it never was - no more than a properly managed and run IE was ever the threat to users it was held out to be. 
 IE 7 on Vista remains the most secure browsing experience and it was interesting to read FF user comments to the effect of, "IE 7 has the security advantage... " So apparently, among some consumers, an understanding of IE's security model on Vista is being delivered.
 |  
 
	
		
			| #3 By
					            15406 (216.191.227.68)
					at 
					6/19/2008 12:09:09 PM |  
			| #1:  This might be the first documented instance where you've complained about a Firefox bug that hasn't already been fixed yet. 
 #2:  How can you say any of that with a straight face, considering just last week or so there was a Vista+IE7 remote code exploit??  And your reference to a FF user claiming IE is more secure is proof of nothing.  You rail against bloggers who disagree with you, but one comment from a random guy that backs your opinion is good enough for you.  You will never find a FF user who believes IE has better security, primarily because FF users ran away from IE due to its myriad problems.  MS astroturfers posing as FF users, maybe.
 |  
 
	
		
			| #4 By
					            23275 (68.186.182.236)
					at 
					6/19/2008 12:29:51 PM |  
			| @3, Two "ifs" applied to the vuln. 1) a user would have had to approve the escalation out of protected mode and into user space and 2) the same user would have had to approve the UAC escalation out of user space. 
 Following that, two additional SW install warnings would have fired, which the same user would have had to approve.
 
 You are quite right, I will likely never find a FF user who believes that IE 7 on Vista is more secure. I am however as unlikely to find a remote code exploit that will be able to get around the layers of security in Vista/IE 7/8 and then find and target address space subject to ASLR.
 
 I maintain that the most secure browsing experience is found on Windows Vista x64 with IE 7/8 in its default protected mode. secureable objects available to all developers of Windows SW as brokered by the UIPI, make a great deal of sense and I see no reason why FF/Moz should not be using them for Windows Vista versions of their browser.
 Please see, http://msdn.microsoft.com/en-us/library/aa379557.aspx and,
 http://msdn.microsoft.com/en-us/library/bb250462.aspx The Windows Integrity Mechanism "just works!" For private CL/SVR apps please see, Client/Server Access Control,
 http://msdn.microsoft.com/en-us/library/aa376393(VS.85).aspx
 
 ... and NoScript is not a good answer - not all RCE are script based and what if a trusted server/site is compromised? (it happens). NoScript is incomplete and as the saying goes... "I know Protected Mode... and NoScript, you're no Protected Mode..."
 
 Finally, I'm not interested in convincing you of anything, I am interested in sharing good information about how to have a great computing experience and one that is as secure as possible. This was the basis behind my observation that I found it "interesting" that FF users were becoming aware of Vista/IE 7's security model.
 |  
 
	
		
			| #5 By
					            23275 (68.186.182.236)
					at 
					6/19/2008 12:52:16 PM |  
			| @3, I should have added more about UIPI (User Interface Privilege Isolation) using the SendMessage Function as at, http://msdn.microsoft.com/en-us/library/ms644950.aspx 
 A good bit ago, I provided you with an explanation about these topics:
 http://blog.libertech.net/blogs/lketchum/archive/2007/05/23/top-ten-things-i-love-about-windows-vista.aspx You can ignore them if you wish, but good developers and engineers do not.
 
 10 - Windows Vista's Integrity Mechanism Windows Vista includes an addition to the access control security mechanism of Windows that labels processes and other securable objects with an integrity level. Internet-facing programs are at higher risk for exploits than other programs because they download untrustworthy content from unknown sources. Running these programs with fewer permissions, or at a lower integrity level, than other programs reduces the ability of an exploit to modify the system or harm user data files. Internet Explorer 7 in Windows Vista uses the Integrity Mechanism and it is what is behind IE 7's Protected Mode. But That is only the beginning - ANY developer has access to the tools that make this possible and it gets better, any single process may be executed in this space, or any grouping of them - so the parts of an application that face the Internet should use them. Think of these as objects, or securable objects in MS speak - see, http://msdn2.microsoft.com/en-us/library/aa379557.aspx also see, http://msdn.microsoft.com/library/default.asp?url=/library/en-us/IETechCol/dnwebgen/ProtectedMode.asp
 
 9 - User Interface Privilege Isolation (UIPI) prevents processes from sending selected window messages and other USER APIs to processes running with higher integrity. If UAC and Protected Mode are straight rights in Vista's security arsenal, the UIPI is one of Vista's stiff jabs. UIPI continually counters attempts to escalate processes and it keeps bad-guy-code off balance. At the same time, it provides developers with an easy way to check process escalation without burning the user experience. Go here to learn how to use it, http://msdn2.microsoft.com/en-us/library/ms644950.aspx
 
 |  
 
	
		
			| #6 By
					            15406 (216.191.227.68)
					at 
					6/19/2008 2:12:49 PM |  
			| #4:  I've noticed lately that you've set NoScript in your sights.  This must be a reaction to the unfortunate reality that NoScript pretty much handles all script-based attacks.  This isn't good for someone trying to position IE as the security leader, so now you're attacking NoScript with bogus claims as to its ineffectiveness.  IE is just as susceptible to dangerous payloads manually run by the user, and a compromised trusted site is just as dangerous to both.  IE still suffers from silent driveby ActiveX downloads last I heard. 
 #5:  I guess the majority of the world's developers are no good, by your logic:
 
 http://www.computerworld.com/action/article.do?articleId=9085478&command=viewArticleBasic
 
 |  
 
	
		
			| #7 By
					            23275 (68.186.182.236)
					at 
					6/19/2008 3:40:29 PM |  
			| Latch, stop trying to scare less technical users.... ActiveX is only one form of remote method invocation.... Java RMI, FALSH Remoting... CORBA.... these are all over the *nix and certainly can impact any computer running FF/Moz. 
 At least MS - most especially in Vista, well addresses how to handle COM Client Controls (ActiveX).
 
 No. Drive by DL's in Vista are not the same - not at all. NO software may install without an authorized user's consent, PERIOD! So unless a user disables UAC (not recommended at all), all SW installs must be manually authorized (unless pushed by admins on a domain).
 
 NoScript has its place for some FF/Moz users, but not all and it is certainly not as easy to manage as Vista's IE 7 PM. Similarly, NS does not protect against vulns. that are not based upon scripts.
 
 COM (ActiveX) regardless of zone, cannot execute without a user's permission - e.g., WSS DLL files, for example do not install unless approved, or pushed by an admin.. so even Microsoft's own controls will not install on their own - not even when coming from sites in the same domain. One may set controls to install w/o permission, but that is not the default.
 
 Sadly, there are too few good devs, but that is not the same thing as the article you ref.
 
 You've presented much better arguments than this. We expect more from you than this - unless... there is nothing more, in which case the available evidence supports as I do, that IE 7 on Vista is the way to go for a more secure online experience.
 |  
 
	
		
			| #8 By
					            92283 (142.32.208.233)
					at 
					6/19/2008 5:32:53 PM |  
			| #3 Latch ... we've been through this before. Firefox hears about a bug, takes a year or to to fix. They announce the "new" vulernability (which is reallythe old one) and the patch the same day. 
 But if you follow the trail back to bugzilla you find an ancient vulnerability no one did anything about.
 |  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
   |  |  |  |